From 91500b752b922c5866215ac8549c4b9a19bb3269 Mon Sep 17 00:00:00 2001 From: Thomas Defise <36169753+tdefise@users.noreply.github.com> Date: Wed, 8 Nov 2023 10:09:11 +0100 Subject: [PATCH] fix(terraform): Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 (#5687) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Created check CKV_AZURE_228 * Updating "CKV_AZURE_153" * Removing file not applicable to this PR * Removing file not applicable for the PR * Made file PEP8 compliant * Restore to how it was before * Fixing syntax issue * Adjusted test_app_service_linux_web_resources() * Adjusted PR reference * Adapted test_app_service_linux_web_resources * adjust test value --------- Co-authored-by: Thomas Defise Co-authored-by: Anton GrĂ¼bel --- .../resource/azure/AppServiceSlotHTTPSOnly.py | 4 +-- .../example_AppServiceSlotHTTPSOnly/main.tf | 33 +++++++++++++++++++ .../azure/test_AppServiceSlotHTTPSOnly.py | 11 +++++-- .../test_runner_azure_resources.py | 5 +-- 4 files changed, 46 insertions(+), 7 deletions(-) diff --git a/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py b/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py index cf80b55ec85..f9ea1d6e8f7 100644 --- a/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py +++ b/checkov/terraform/checks/resource/azure/AppServiceSlotHTTPSOnly.py @@ -6,12 +6,12 @@ class AppServiceSlotHTTPSOnly(BaseResourceValueCheck): def __init__(self): name = "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" id = "CKV_AZURE_153" - supported_resources = ['azurerm_app_service_slot'] + supported_resources = ["azurerm_app_service_slot", "azurerm_linux_web_app_slot", "azurerm_windows_web_app_slot"] categories = [CheckCategories.NETWORKING] super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources) def get_inspected_key(self): - return 'https_only/[0]' + return "https_only/[0]" check = AppServiceSlotHTTPSOnly() diff --git a/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf b/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf index e981a4e2144..ffcbd1462e4 100644 --- a/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf +++ b/tests/terraform/checks/resource/azure/example_AppServiceSlotHTTPSOnly/main.tf @@ -26,6 +26,23 @@ resource "azurerm_app_service_slot" "fail" { } +resource "azurerm_linux_web_app_slot" "fail" { + name = "fail-slot" + app_service_id = azurerm_linux_web_app.fail.id + https_only = false + + site_config {} +} + +resource "azurerm_windows_web_app_slot" "fail" { + name = "fail-slot" + app_service_id = azurerm_windows_web_app.fail.id + https_only = false + + site_config {} +} + + resource "azurerm_app_service_slot" "fail2" { name = random_id.server.hex app_service_name = azurerm_app_service.example.name @@ -77,3 +94,19 @@ resource "azurerm_app_service_slot" "pass" { value = "Server=some-server.mydomain.com;Integrated Security=SSPI" } } + +resource "azurerm_linux_web_app_slot" "pass" { + name = "pass-slot" + app_service_id = azurerm_linux_web_app.pass.id + https_only = true + + site_config {} +} + +resource "azurerm_windows_web_app_slot" "pass" { + name = "pass-slot" + app_service_id = azurerm_windows_web_app.pass.id + https_only = true + + site_config {} +} \ No newline at end of file diff --git a/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py b/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py index 7ffe4f37eb8..f627a7966f8 100644 --- a/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py +++ b/tests/terraform/checks/resource/azure/test_AppServiceSlotHTTPSOnly.py @@ -20,18 +20,23 @@ def test(self): passing_resources = { "azurerm_app_service_slot.pass", + "azurerm_linux_web_app_slot.pass", + "azurerm_windows_web_app_slot.pass", } failing_resources = { "azurerm_app_service_slot.fail", "azurerm_app_service_slot.fail2", + "azurerm_linux_web_app_slot.fail", + "azurerm_windows_web_app_slot.fail", } + skipped_resources = {} passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 1) - self.assertEqual(summary["failed"], 2) - self.assertEqual(summary["skipped"], 0) + self.assertEqual(summary['passed'], len(passing_resources)) + self.assertEqual(summary['failed'], len(failing_resources)) + self.assertEqual(summary['skipped'], len(skipped_resources)) self.assertEqual(summary["parsing_errors"], 0) self.assertEqual(passing_resources, passed_check_resources) diff --git a/tests/terraform/image_referencer/test_runner_azure_resources.py b/tests/terraform/image_referencer/test_runner_azure_resources.py index a44cbc6de09..7ea411ff3a3 100644 --- a/tests/terraform/image_referencer/test_runner_azure_resources.py +++ b/tests/terraform/image_referencer/test_runner_azure_resources.py @@ -182,7 +182,7 @@ def test_app_service_linux_web_resources(mocker: MockerFixture, graph_framework) assert len(tf_report.resources) == 2 assert len(tf_report.passed_checks) == 4 - assert len(tf_report.failed_checks) == 13 + assert len(tf_report.failed_checks) == 14 assert len(tf_report.skipped_checks) == 0 assert len(tf_report.parsing_errors) == 0 @@ -271,7 +271,8 @@ def test_app_service_windows_web_resources(mocker: MockerFixture, graph_framewor assert len(tf_report.resources) == 2 assert len(tf_report.passed_checks) == 4 - assert len(tf_report.failed_checks) == 13 + # Changed from 13 to 14 due to PR #5687 + assert len(tf_report.failed_checks) == 14 assert len(tf_report.skipped_checks) == 0 assert len(tf_report.parsing_errors) == 0